Reference:
https://live.paloaltonetworks.com/t5/Management-Articles/What-does-the-Number-of-Bytes-in-the-Traffic-Log-represent/ta-p/56208
https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711
https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711
I have a rule that uses icmp/ping/traceroute as application, and the service is Any instead of the correct “application-default”, nmap will show that a lot of ports are opened.
I use a telnet to the target with the port, and keep pressing enter to send data over the firewall.
the firewall requires enough bytes to determine which application the traffic is allowed, the magic number is between 450 and 465 bytes.
firewall when receiving 450 or 465 bytes will give up identifying the application and mark the traffic as unknown-tcp and drops the traffic.
cyruslab 